The microblog: 2018.10.10 18:29:18

2018.10.10 18:29:18 (1050060715065790465) from Daniel J. Bernstein, replying to "Gregory Neven (@gregoryneven)" (1049640496988065793):

Not true. makes assumptions that are stronger and that have been less studied by cryptanalysts. Including the public key in the hash gives a multi-user security proof from _standard_ assumptions. (Side benefits: simpler, and quantitatively a bit stronger.)


2018.10.09 14:39:30 (1049640496988065793) from "Gregory Neven (@gregoryneven)", replying to "Calvin (@kcalvinalvinn)" (1049637945794162689):

Short answer: no need for pubkey inclusion in Schnorr sigs, even to be safe. It was thought to have effect on tightness in multi-user security (, but proved that it is unnecessary.